A method and apparatus for detecting scans are described. In one example, a plurality of flows is allocated into a plurality of bins associated with different source Internet protocol (SIP) addresses. A set of bin characteristics for at least one bin of the plurality of bins is generated if the at least one bin reaches a predefined flow capacity. Afterwards, the set of bin characteristics is compared to a scan characteristics list to determine if a potential scan exists.
Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A method for detecting a scan, comprising: allocating, by a processor, a plurality of flows into a plurality of bins based upon a source internet protocol address of each of the plurality of flows, where each bin of the plurality of bins is associated with a different source internet protocol address; generating, by the processor, a set of bin characteristics for one bin of the plurality of bins if the one bin reaches a predefined flow capacity; and comparing, by the processor, the set of bin characteristics to a scan characteristics list to determine if the scan exists.
A method for detecting network scans involves sorting network traffic flows into bins, where each bin corresponds to a unique source IP address. If a bin exceeds a predefined flow capacity, the system generates a set of characteristics for that bin. This set of characteristics is then compared to a list of known scan characteristics. A match indicates the potential existence of a network scan originating from that source IP address.
2. The method of claim 1 , further comprising: updating summary characteristics of the one bin if the set of bin characteristics matches an entry in the scan characteristics list.
The scan detection method described above further includes updating summary characteristics of the bin if the bin's characteristics match an entry in a scan characteristics list. This updating process occurs after determining that a potential scan exists based on the initial comparison of bin characteristics to the scan characteristics list, allowing for the accumulation of data relating to ongoing or suspected scans.
3. The method of claim 2 , further comprising: updating a flow count of the summary characteristics if the set of bin characteristics matches the summary characteristics.
In addition to the scan detection and bin summary updating described above, the method further includes updating a flow count within the summary characteristics if the set of bin characteristics matches the existing summary characteristics. This helps track the frequency and intensity of flows that exhibit scan-like behavior, enhancing the accuracy of scan detection by providing a quantitative measure of potentially malicious activity.
4. The method of claim 3 , further comprising: detecting a scan if the updated flow count exceeds a predetermined threshold.
Building upon the previous methods, the scan detection process further determines that a scan is definitively occurring if the updated flow count in the bin's summary characteristics exceeds a predetermined threshold. This threshold-based detection provides a trigger for alerting or mitigation actions when the volume of scan-like traffic from a specific source IP surpasses a configured level, minimizing false positives.
5. The method of claim 3 , wherein the summary characteristics comprise a scan type and the flow count.
In the scan detection system, the summary characteristics stored for each bin consist of a scan type and the flow count. The scan type identifies the kind of scan detected (e.g., port scan, vulnerability scan), while the flow count represents the number of flows matching the characteristics of that scan type. These two pieces of information provide a concise summary of scan activity associated with a given source IP address.
6. The method of claim 5 , wherein the scan type comprises a class based scan.
Within the scan detection system, the scan type identified in the summary characteristics includes a class-based scan. This refers to scans that target a range of IP addresses within a specific class (e.g., Class C network), indicating a broad sweep of a network segment rather than a targeted attack on a single host. This allows the system to specifically identify and flag scans targeting entire network ranges.
7. The method of claim 1 , wherein the bin characteristics comprise a source internet protocol address, a destination internet protocol address, a source port, a destination port, a transmission control protocol flag, and a protocol.
In the scan detection method, the bin characteristics used for comparison include the source IP address, destination IP address, source port, destination port, transmission control protocol (TCP) flag settings, and the network protocol used (e.g., TCP, UDP, ICMP). These characteristics provide a detailed fingerprint of the network flows within each bin, enabling precise matching against known scan signatures and detection of subtle variations in scanning behavior.
8. A tangible computer-readable medium storing instructions which, when executed by a processor, cause the processor to perform operations for detecting a scan, the operations comprising: allocating a plurality of flows into a plurality of bins based upon a source internet protocol address of each of the plurality of flows, where each bin of the plurality of bins is associated with a different source internet protocol address; generating a set of bin characteristics for one bin of the plurality of bins if the one bin reaches a predefined flow capacity; and comparing the set of bin characteristics to a scan characteristics list to determine if the scan exists.
A computer-readable medium contains instructions that, when executed by a processor, implement a scan detection system. This involves sorting network traffic flows into bins, where each bin corresponds to a unique source IP address. If a bin exceeds a predefined flow capacity, the system generates a set of characteristics for that bin. This set of characteristics is then compared to a list of known scan characteristics. A match indicates the potential existence of a network scan originating from that source IP address.
9. The tangible computer-readable medium of claim 8 , wherein the operations further comprise: updating summary characteristics of the one bin if the set of bin characteristics matches an entry in the scan characteristics list.
The computer-readable medium described above further includes instructions for updating summary characteristics of the bin if the bin's characteristics match an entry in a scan characteristics list. This updating process occurs after determining that a potential scan exists based on the initial comparison of bin characteristics to the scan characteristics list, allowing for the accumulation of data relating to ongoing or suspected scans.
10. The tangible computer-readable medium of claim 9 , wherein the operations further comprise: updating a flow count of the summary characteristics if the set of bin characteristics matches the summary characteristics.
In addition to the scan detection and bin summary updating described above, the computer-readable medium includes instructions for updating a flow count within the summary characteristics if the set of bin characteristics matches the existing summary characteristics. This helps track the frequency and intensity of flows that exhibit scan-like behavior, enhancing the accuracy of scan detection by providing a quantitative measure of potentially malicious activity.
11. The tangible computer-readable medium of claim 10 , wherein the operations further comprise: detecting a scan if the updated flow count exceeds a predetermined threshold.
Building upon the previous methods, the scan detection process implemented by the computer-readable medium further determines that a scan is definitively occurring if the updated flow count in the bin's summary characteristics exceeds a predetermined threshold. This threshold-based detection provides a trigger for alerting or mitigation actions when the volume of scan-like traffic from a specific source IP surpasses a configured level, minimizing false positives.
12. The tangible computer-readable medium of claim 10 , wherein the summary characteristics comprise a scan type and the flow count.
In the scan detection system implemented on the computer-readable medium, the summary characteristics stored for each bin consist of a scan type and the flow count. The scan type identifies the kind of scan detected (e.g., port scan, vulnerability scan), while the flow count represents the number of flows matching the characteristics of that scan type. These two pieces of information provide a concise summary of scan activity associated with a given source IP address.
13. The tangible computer-readable medium of claim 12 , wherein the scan type comprises a class based scan.
Within the scan detection system implemented by the computer-readable medium, the scan type identified in the summary characteristics includes a class-based scan. This refers to scans that target a range of IP addresses within a specific class (e.g., Class C network), indicating a broad sweep of a network segment rather than a targeted attack on a single host. This allows the system to specifically identify and flag scans targeting entire network ranges.
14. The tangible computer-readable medium of claim 8 , wherein the bin characteristics comprise a source internet protocol address, a destination internet protocol address, a source port, a destination port, a transmission control protocol flag, and a protocol.
In the scan detection method implemented by the computer-readable medium, the bin characteristics used for comparison include the source IP address, destination IP address, source port, destination port, transmission control protocol (TCP) flag settings, and the network protocol used (e.g., TCP, UDP, ICMP). These characteristics provide a detailed fingerprint of the network flows within each bin, enabling precise matching against known scan signatures and detection of subtle variations in scanning behavior.
15. An apparatus for detecting a scan, comprising: a processor; and a computer-readable medium storing instructions which, when executed by the processor, cause the processor to perform operations, the operations comprising: allocating a plurality of flows into a plurality of bins based upon a source internet protocol address of each of the plurality of flows, where each bin of the plurality of bins is associated with a different source internet protocol address; generating a set of bin characteristics for one bin of the plurality of bins if the one bin reaches a predefined flow capacity; and comparing the set of bin characteristics to a scan characteristics list to determine if the scan exists.
An apparatus for detecting network scans includes a processor and a computer-readable medium containing instructions. These instructions, when executed by the processor, cause the system to sort network traffic flows into bins, where each bin corresponds to a unique source IP address. If a bin exceeds a predefined flow capacity, the system generates a set of characteristics for that bin. This set of characteristics is then compared to a list of known scan characteristics. A match indicates the potential existence of a network scan originating from that source IP address.
16. The apparatus of claim 15 , wherein the operations further comprise: updating summary characteristics of the one bin if the set of bin characteristics matches an entry in the scan characteristics list.
The scan detection apparatus further includes instructions for updating summary characteristics of the bin if the bin's characteristics match an entry in a scan characteristics list. This updating process occurs after determining that a potential scan exists based on the initial comparison of bin characteristics to the scan characteristics list, allowing for the accumulation of data relating to ongoing or suspected scans.
17. The apparatus of claim 16 , wherein the operations further comprise: updating a flow count of the summary characteristics if the set of bin characteristics matches the summary characteristics.
In addition to the scan detection and bin summary updating, the scan detection apparatus includes instructions for updating a flow count within the summary characteristics if the set of bin characteristics matches the existing summary characteristics. This helps track the frequency and intensity of flows that exhibit scan-like behavior, enhancing the accuracy of scan detection by providing a quantitative measure of potentially malicious activity.
18. The apparatus of claim 17 , wherein the operations further comprise: detecting a scan if the updated flow count exceeds a predetermined threshold.
Building upon the previous functions, the scan detection apparatus further determines that a scan is definitively occurring if the updated flow count in the bin's summary characteristics exceeds a predetermined threshold. This threshold-based detection provides a trigger for alerting or mitigation actions when the volume of scan-like traffic from a specific source IP surpasses a configured level, minimizing false positives.
19. The apparatus of claim 17 , wherein the summary characteristics comprise a scan type and the flow count.
In the scan detection apparatus, the summary characteristics stored for each bin consist of a scan type and the flow count. The scan type identifies the kind of scan detected (e.g., port scan, vulnerability scan), while the flow count represents the number of flows matching the characteristics of that scan type. These two pieces of information provide a concise summary of scan activity associated with a given source IP address.
20. The apparatus of claim 15 , wherein the bin characteristics comprise a source internet protocol address, a destination internet protocol address, a source port, a destination port, a transmission control protocol flag, and a protocol.
In the scan detection apparatus, the bin characteristics used for comparison include the source IP address, destination IP address, source port, destination port, transmission control protocol (TCP) flag settings, and the network protocol used (e.g., TCP, UDP, ICMP). These characteristics provide a detailed fingerprint of the network flows within each bin, enabling precise matching against known scan signatures and detection of subtle variations in scanning behavior.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
April 15, 2011
August 13, 2013
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.